Skillv1.2.0

ClawScan security

Browser Use Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 6:50 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match a browser-automation purpose, but there are important inconsistencies and security-relevant choices (undeclared API key usage, browser profile access, and remote-debugging instructions) that the user should understand before installing.
Guidance: This skill appears to do what it claims (complex browser automation) but has some concerning and inconsistent points you should address before using it: - Expect to provide an LLM API key (the SKILL.md uses api_key) even though the registry says no env vars — verify where and how you will store that key (prefer a dedicated env var or local config, not embedding in code). - Review the 'browser-use' package on PyPI/GitHub before pip installing. The SKILL.md claims large popularity; confirm the project identity and inspect its code or maintainers. - Run automation in an isolated environment: create a dedicated virtualenv, and use a separate browser profile (user_data_dir) or a disposable VM/container to avoid exposing your main browser cookies/sessions. - For Mode B (CDP/remote debugging), be aware that a Chrome instance launched with remote debugging can expose session data to whatever connects to that port. Only enable this when you fully trust the code you run and do so on an isolated profile or machine. - Limit data sent to the remote LLM: avoid enabling screenshots/use_vision when dealing with passwords or sensitive pages, and use the documented 'sensitive_data' placeholders, but validate that the library actually enforces that behavior. - If you need stronger guarantees, consider running the tool offline or with a self-hosted LLM, or perform the sensitive login step manually and then let the agent continue with non-sensitive actions. If you want, I can: (1) extract the exact places the SKILL.md asks for secrets, (2) provide a checklist to safely set up the venv and isolated browser profile, or (3) attempt to identify the 'browser-use' project's upstream source so you can audit it.

Review Dimensions

Purpose & Capability: noteName/description (browser automation for complex flows) aligns with the instructions and listed Python packages (browser-use, playwright, langchain-openai). However the registry metadata states 'Required env vars: none' while SKILL.md clearly requires an LLM API key (api_key in the example) and runtime configuration — this mismatch is unexplained.
Instruction Scope: concernThe SKILL.md instructs creating a virtualenv, pip-installing packages, running Playwright, writing/running Python scripts that drive real browsers, and optionally launching Chrome with --remote-debugging-port. Those steps can access local browser profiles, cookies, and pages; the skill also recommends sending screenshots and page content to an external LLM. Although the doc describes 'sensitive_data' placeholders, the instructions still place significant discretion and access in the agent (screenshots, HTML, and browser session data sent to an LLM), and they inconsistently state who must launch Chrome vs showing a command that launches it.
Install Mechanism: noteThis is instruction-only (no install spec). The suggested install flow uses pip and Playwright (standard package sources). That is lower-risk than arbitrary downloads, but the user should vet the PyPI packages (and the claimed 'browser-use' project) before pip installing into a host environment.
Credentials: concernMetadata declares no required env vars but SKILL.md demonstrates and implies an LLM API key (api_key) and use of user_data_dir for browser profiles. Requiring an API key for an LLM is expected for this functionality, but its absence from declared requirements is an incoherence. Also, connecting to a browser debug port and using an existing profile gives the agent access to cookies, sessions, and stored secrets — a high-scope capability that users must explicitly accept.
Persistence & Privilege: noteThe skill does not request 'always: true'. It suggests creating a per-user virtualenv (~ /browser-use-env) and a profile dir (~/.browser-use/task-profile), which is standard for a local tool but creates persistent artifacts in the user's home. It does not modify other skills or system-wide settings as documented.